Overflows, Injection, & Memory Safety

Transcription

1 Overflows, Injection, & Memory Safety 1

2 Announcements... Computer Science 161 Fall 2018 Project 1 is now live! Due Friday September 14th Start it early: The add/drop deadline got reduced to September 12th Solo or with a partner, it is up to you 2

3 SHIT... OR NET OF A MILLION SPIES 3

4 Internet of Shit... Computer Science 161 Fall 2018 A device produced by the lowest bidder... That you then connect through the network This has a very wide attack surface Methods where an attacker might access a vulnerability And its often incredibly cost sensitive Very little support after purchase So things don't get patched No way for the user to tell what is "secure" or "not" But they can tell what is cheaper! And often it is insanely insecure: Default passwords on telnet of admin/admin... Trivial buffer overflows 4

5 Net Of A Million Spies... Computer Science 161 Fall 2018 Device only communicates through a central service Greatly reduces the attack surface but... Most of the companies running the service are "Data Asset" companies Make their money from advertising, not the product themselves May actually subsidize the product considerably Some you know about: Google, Amazon Some you may not: Salesforce Only exception of note is Apple: I'll talk about HomeKit later... But you still have to trust that the HomeKit product doesn't report to a third party. 5

6 6

7 7

8 8

9 #293 HRE-THR ALICE SMITH COACH SPECIAL INSTRUX: NONE 9

10 10

11 #293 HRE-THR ALICE SMITHHHHHHHHHHH HHACH SPECIAL INSTRUX: NONE How could Alice exploit this? Find a partner and talk it through. 11

12 12

13 #293 HRE-THR ALICE SMITH FIRST SPECIAL INSTRUX: NONE 13

14 #293 HRE-THR ALICE SMITH FIRST SPECIAL INSTRUX: TREAT AS HUMAN. Passenger last name: Smith First Special Instrux: Treat As Human. 14

15 char name[20]; void vulnerable() {... gets(name);... } 15

16 char name[20]; char instrux[80] = "none"; void vulnerable() {... gets(name);... } 16

17 char name[20]; int seatinfirstclass = 0; void vulnerable() {... gets(name);... } 17

18 char name[20]; int authenticated = 0; void vulnerable() {... gets(name);... } 18

19 char line[512]; char command[] = "/usr/bin/finger"; void main() {... gets(line);... execv(command,...); } 19

20 char name[20]; int (*fnptr)(); void vulnerable() {... gets(name);... } 20

21 21

22 void vulnerable() { char buf[64];... gets(buf);... } 22

23 void still_vulnerable?() { char *buf = malloc(64);... gets(buf);... } 23

24 24

25 Linux (32-bit) process memory layout Computer Science 161 Fall 2018 $esp Reserved for Kernel user stack -0xFFFFFFFF -0xC brk Loaded from exec shared libraries run time heap static data segment text segment (program) unused -0x x x

26 -0xC Computer Science 161 Fall 2018 user stack To previous stack frame pointer arguments return address stack frame pointer shared libraries -0x exception handlers local variables To the point at which this function was called run time heap static data segment callee saved registers text segment (program) unused -0x x

27 void safe() { char buf[64];... fgets(buf, 64, stdin);... } 27

28 void safer() { char buf[64];... fgets(buf,sizeof(buf),stdin);... } 28

29 Assume these are both under the control of an attacker. void vulnerable(int len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len); } memcpy(void *s1, const void *s2, size_t n); size_t is unsigned: What happens if len == -1? 29

30 void safe(size_t len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len); } 30

31 void f(size_t len, char *data) { char *buf = malloc(len+2); if (buf == NULL) return; memcpy(buf, data, len); buf[len] = '\n'; buf[len+1] = '\0'; } Is it safe? Talk to your partner. Vulnerable! If len = 0xffffffff, allocates only 1 byte 31

32 32

33 void vulnerable() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf(buf); } 33

34 printf("you scored %d\n", score); 34

35 s f p Computer Science 161 Fall 2018 p r i n t f ( you scored %d\ n, s c o r e ) ; p r i n t f ( ) score 0x r i p s f p \ 0 \ n d % d e r o c s u o y 0x

36 printf("a %s costs $%d\n", item, price); 36

37 s f p Computer Science 161 Fall 2018 p r i n t f (" a %s c o s t s $%d\ n ", i t e m, p r i c e ) ; p r i n t f ( ) p r i c e item 0x r i p s f p \ 0 \ n d % $ s t s o c s % a 0x

38 Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); Format argument is missing! 38

39 s f p Computer Science 161 Fall 2018 p r i n t f ( 100% dude! ) ; p r i n t f ( )??? 0x r i p s f p \ 0! e d u d % x

40 More Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); prints value 4 bytes above retaddr as integer printf("100% sir!"); prints bytes pointed to by that stack entry up through first NUL printf("%d %d %d %d..."); prints series of stack entries as integers printf("%d %s"); prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke m!"); What does the %n format do?? 40

41 %n writes the number of characters printed so far into the corresponding format argument. int report_cost(int item_num, int price) { int colon_offset; printf("item %d:%n $%d\n", item_num, &colon_offset, price); return colon_offset; } report_cost(3, 22) prints "item 3: $22" and returns the value 7 report_cost(987, 5) prints "item 987: $5" and returns the value 9 41

42 Fun With printf format strings... Computer Science 161 Fall 2018 printf("100% dude!"); prints value 4 bytes above retaddr as integer printf("100% sir!"); prints bytes pointed to by that stack entry up through first NUL printf("%d %d %d %d..."); prints series of stack entries as integers printf("%d %s"); prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke m!"); writes the value 3 to the address pointed to by stack entry 42

43 void safe() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf("%s", buf); } 43

44 And Now: Lets Walk Through A Stack Overflow Computer Science 161 Fall 2018 Idea: We override a buffer on the stack... In the buffer we place some code of our choosing "Shellcode" Override the return address to point to code of our choosing Lets step through the process on an x